I just got an email from a company whom I'd really like to work for, but I am not convinced that the person emailing me is real, or a hoax. Is there a way based on the MIME information and all the email headers to heuristically determine if an email came from who it says it came from?

Update

Thanks to everyone for the great answers, I figured there was no one great way to tell. I checked the MX records on the DNS servers and the WHOIS records for the domains and IP addresses and it all checked out. Just for some context, I was contacted first on LinkedIn, so it wasn't totally out of the blue.

6 Answers
6

Not definitively. It's too easy to forge the information in the headers.

Use traditional methods to verify the company. Get the number of the company from 411 information and call them. Ask about the job title in question. If the job title checks out, ask to speak to the person responsible for the job opening.

Note: If money was mentioned in any way in the email, it's probably a fake. You can check it out by Googling a unique phrase in the email. Often such emails turn up on Snopes.com and similar sites.

Most reputable companies do not solicit employees this way, so unless you were referred by a colleague, it's probably fake.

Yeah, I tried Googling phrases in the email and found no hits. I found the person also on LinkedIn, Plaxo, Meetup and a couple of other sites, but I suppose it could be fake.
–
daveslabDec 22 '09 at 15:56

One thing that no one has mentioned is that you can fake all of the headers BUT if you look at the reply-to address that should be a good way to tell if it is a scam. Ie if it is like this:

To:

youremail@blabla

From:

stevejobs@apple.com

reply to:

stevejobs@apple.com

It is unlikely to be a scam. Even if your responded with your credit card number, home address and the name of your fav book, there is nothing the spammer could do because your reply would be sent to stevejobs.

If the message looks like this:

To:

youremail@blabla

From:

stevejobs@apple.com

reply to:

stevejobs@ otherapple.com

This should set off red flags. This email will not go to the sender. It will go to someoen else. Remember in order for the spam to work it has to get back to the spammer.

Note: under certain circumstances this could still be spam but this is an extremely easy check.

The bottom-most Received: header is followed by the body of the message, which includes To: and From: headers, which can be forged. But let's follow the Received: headers:

The first header indicates that a server on IP address 10.0.0.4 named superuser.com sent a message to the server mail1.stackoverflow.com. Knowing that both of these names are to be expected in this case, the Received: header indicates an internal forward within the superuser complex of mail servers.

The next Received: header indicates that mail1.stackoverflow.com at address 69.59.196.214 forwarded the message to mx.google.com. We can confirm that the public IP address of mail1.stackoverflow.com is 69.59.196.214 and since google is my email provider, I would expect the mail-exchanger (mx) at google.com to be receiving my message. This is the first contact with my mail domain (google) and cannot be faked. Of course, there could be a load of faked Received: headers below this header, so finding the first reliable Received: header can be tricky.

The last two Received: headers show net 10 addresses, so these are forwards within the google domain. This is also not unexpected.

An evil mail server could insert many fake Received: headers into the stream, but there is always one that comes from a trusted source, in this case mx.google.com. This first trusted Received: header indicates the public IP address that actually forwarded the email. If this IP address is suspect, or does not match the reported domain name, then you must suspect the entire contents of the message.

You can read Received: headers in most email clients using a "view source" command. It takes a bit of skill to read bottom-up and find the first reliable Received: header, but once you find it, verifying it is quick and helpful.

Excellent answer! But are you sure that the Received: headers can't be faked!
–
daveslabDec 22 '09 at 20:56

1

Yes, they can be faked. But because each mail server prepends its own Received: header, at some point which may be difficult to discern, the Received: headers are being created by your own email server, and these are reliable. The bottom-most reliable Received: header indicates the real IP address of the "foreign" email system. If the IP checks out, it tends to indicate a good message. If it doesn't, or there are obvious fakeries as in so much spam, then it calls the entire message into question. It's not a recipe for a certain UP/DOWN decision -- just clues.
–
kweDec 24 '09 at 23:46

As all of the e-mail headers can be faked there's no simple way to decide whether the e-mail is a fake or not. Are there any spelling mistakes - or more tellingly - grammatical mistakes. There might be one or two on a genuine message, but a lot would imply fake.

You could e-mail the person back - but you'd need to be careful about what you say.

However, don't reply to the e-mail, type in the e-mail address yourself.

It's not guaranteed as the company's e-mail server could just swallow invalid e-mail addresses rather than bouncing them (it can be a security risk to acknowledge that an address doesn't exist).

You could also set that you want a receive and/or read receipt - however, these can be ignored by the recipient.

At the very least, verify the email address with something like http://verify-email.org/. This just telly you if the sending email address exists; it does not verify that the message came from that person.

If the email address exists, look to see if the type of position mentioned is publicly listed, and then finally use one of the techniques above to follow up.

Call them up and ask to speak to him/her. If the response is "we have no-one of that name here", it's probably fake.

It's hard sometimes to work out even whether an email was sent by a human or by an automated script, and it's even harder to verify the identity of a sender.

One day, maybe, we'll all have personal certificates that we can routinely use in emails and other communiciations to verify each other's identity, but until then it'll require scepticism and lateral thinking.